CINXE.COM
LKML: Yi Yang: Re: [PATCH] Fix user data corrupted by old value return of sysctl
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>LKML: Yi Yang: Re: [PATCH] Fix user data corrupted by old value return of sysctl</title><link href="/css/message.css" rel="stylesheet" type="text/css" /><link href="/css/wrap.css" rel="alternate stylesheet" type="text/css" title="wrap" /><link href="/css/nowrap.css" rel="stylesheet" type="text/css" title="nowrap" /><link href="/favicon.ico" rel="shortcut icon" /><script src="/js/simple-calendar.js" type="text/javascript"></script><script src="/js/styleswitcher.js" type="text/javascript"></script><link rel="alternate" type="application/rss+xml" title="lkml.org : last 100 messages" href="/rss.php" /><link rel="alternate" type="application/rss+xml" title="lkml.org : last messages by Yi Yang" href="/groupie.php?aid=31111" /><!--Matomo--><script> var _paq = window._paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(["setDoNotTrack", true]); _paq.push(["disableCookies"]); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="//m.lkml.org/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '1']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script><!--End Matomo Code--></head><body onload="es.jasper.simpleCalendar.init();" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><table border="0" cellpadding="0" cellspacing="0"><tr><td width="180" align="center"><a href="/"><img style="border:0;width:135px;height:32px" src="/images/toprowlk.gif" alt="lkml.org" /></a></td><td width="32">聽</td><td class="nb"><div><a class="nb" href="/lkml"> [lkml]</a> 聽 <a class="nb" href="/lkml/2005"> [2005]</a> 聽 <a class="nb" href="/lkml/2005/12"> [Dec]</a> 聽 <a class="nb" href="/lkml/2005/12/30"> [30]</a> 聽 <a class="nb" href="/lkml/last100"> [last100]</a> 聽 <a href="/rss.php"><img src="/images/rss-or.gif" border="0" alt="RSS Feed" /></a></div><div>Views: <a href="#" class="nowrap" onclick="setActiveStyleSheet('wrap');return false;">[wrap]</a><a href="#" class="wrap" onclick="setActiveStyleSheet('nowrap');return false;">[no wrap]</a> 聽 <a class="nb" href="/lkml/mheaders/2005/12/30/217" onclick="this.href='/lkml/headers'+'/2005/12/30/217';">[headers]</a>聽 <a href="/lkml/bounce/2005/12/30/217">[forward]</a>聽 </div></td><td width="32">聽</td></tr><tr><td valign="top"><div class="es-jasper-simpleCalendar" baseurl="/lkml/"></div><div class="threadlist">Messages in this thread</div><ul class="threadlist"><li class="root"><a href="/lkml/2005/12/30/31">First message in thread</a></li><li><a href="/lkml/2005/12/30/31">Yi Yang</a><ul><li><a href="/lkml/2005/12/30/96">Linus Torvalds</a><ul><li class="origin"><a href="">Yi Yang</a></li><li><a href="/lkml/2005/12/31/26">Coywolf Qi Hunt</a></li><li><a href="/lkml/2005/12/31/56">YOSHIFUJI Hideaki / =?iso-2022-jp?B?GyRCNUhGIzFRTEAbKEI=?=</a></li></ul></li><li><a href="/lkml/2005/12/30/153">(David Wagner)</a></li><li><a href="/lkml/2005/12/31/24">Coywolf Qi Hunt</a><ul><li><a href="/lkml/2005/12/31/27">Yi Yang</a><ul><li><a href="/lkml/2005/12/31/30">Coywolf Qi Hunt</a><ul><li><a href="/lkml/2006/1/3/531">Yi Yang</a></li></ul></li></ul></li></ul></li></ul></li></ul></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerl.gif" width="32" height="32" alt="/" /></td><td class="c" rowspan="2" valign="top" style="padding-top: 1em"><table><tr><td><table><tr><td class="lp">Date</td><td class="rp" itemprop="datePublished">Sat, 31 Dec 2005 09:08:54 +0800</td></tr><tr><td class="lp">From</td><td class="rp" itemprop="author">Yi Yang <></td></tr><tr><td class="lp">Subject</td><td class="rp" itemprop="name">Re: [PATCH] Fix user data corrupted by old value return of sysctl</td></tr></table></td><td></td></tr></table><pre itemprop="articleBody">Linus Torvalds wrote:<br /><br />>On Fri, 30 Dec 2005, Yi Yang wrote:<br />> <br />><br />>>If the user reads a sysctl entry which is of string type<br />>>by sysctl syscall, this call probably corrupts the user data<br />>>right after the old value buffer, the issue lies in sysctl_string<br />>>seting 0 to oldval[len], len is the available buffer size<br />>>specified by the user, obviously, this will write to the first<br />>>byte of the user memory place immediate after the old value buffer,<br />>>the correct way is that sysctl_string doesn't set 0, the user<br />>>should do it by self in the program.<br />>> <br />>><br />><br />>Hmm.. I think this patch is incomplete.<br />><br />>We _should_ zero-pad the data, at least if the result fits in the buffer.<br />><br />>So I think the correct fix is to just _copy_ the last zero if it fits in <br />>the buffer, rather than do the unconditional "add NUL at the end" thing. <br />>The simplest way to do that is to just make "l" be "strlen(str)+1", so <br />>that we count the ending NUL in the length (and then, if the buffer isn't <br />>big enough, we will truncate it).<br />><br />>In other words, I would instead suggest a patch like the appended.<br />><br />>But even that is questionable: one alternative is to always zero-pad (like <br />>we used to), but make sure that the buffer size is sufficient for it (ie <br />>instead of adding one to the length of the string, we'd subtract one from <br />>the buffer length and make sure that the '\0' fits..<br />><br />>Comments?<br />> <br />><br />Yes, you are more complete, I agree with it very much.<br /><br />> Linus<br />>---<br />>diff --git a/kernel/sysctl.c b/kernel/sysctl.c<br />>index 9990e10..ad0425a 100644<br />>--- a/kernel/sysctl.c<br />>+++ b/kernel/sysctl.c<br />>@@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int <br />> if (get_user(len, oldlenp))<br />> return -EFAULT;<br />> if (len) {<br />>- l = strlen(table->data);<br />>+ l = strlen(table->data)+1;<br />> if (len > l) len = l;<br />> if (len >= table->maxlen)<br />> len = table->maxlen;<br />> if(copy_to_user(oldval, table->data, len))<br />> return -EFAULT;<br />>- if(put_user(0, ((char __user *) oldval) + len))<br />>- return -EFAULT;<br />> if(put_user(len, oldlenp))<br />> return -EFAULT;<br />> }<br />><br />> <br />><br /><br />-<br />To unsubscribe from this list: send the line "unsubscribe linux-kernel" in<br />the body of a message to majordomo@vger.kernel.org<br />More majordomo info at <a href="http://vger.kernel.org/majordomo-info.html">http://vger.kernel.org/majordomo-info.html</a><br />Please read the FAQ at <a href="http://www.tux.org/lkml/">http://www.tux.org/lkml/</a><br /><br /></pre></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerr.gif" width="32" height="32" alt="\" /></td></tr><tr><td align="right" valign="bottom"> 聽 </td></tr><tr><td align="right" valign="bottom">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerl.gif" width="32" height="32" alt="\" /></td><td class="c">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerr.gif" width="32" height="32" alt="/" /></td></tr><tr><td align="right" valign="top" colspan="2"> 聽 </td><td class="lm">Last update: 2005-12-31 02:11 聽聽 [from the cache]<br />漏2003-2020 <a href="http://blog.jasper.es/"><span itemprop="editor">Jasper Spaans</span></a>|hosted at <a href="https://www.digitalocean.com/?refcode=9a8e99d24cf9">Digital Ocean</a> and my Meterkast|<a href="http://blog.jasper.es/categories.html#lkml-ref">Read the blog</a></td><td>聽</td></tr></table><script language="javascript" src="/js/styleswitcher.js" type="text/javascript"></script></body></html>